Bumpsurllib3 from 2.5.0 to 2.6.0.
Release notes
Sourced fromurllib3's releases.
2.6.0
🚀 urllib3 is fundraising for HTTP/2 support
urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projectsplease consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.
Thank you for your support.
Security
- Fixed a security issue where streaming API could improperly handle highly compressed HTTP content ("decompression bombs") leading to excessive resource consumption even when a small amount of data was requested. Reading small chunks of compressed data is safer and much more efficient now. (CVE-2025-66471 reported by
@Cycloctane, 8.9 High,GHSA-2xpw-w6gg-jr37) - Fixed a security issue where an attacker could compose an HTTP response with virtually unlimited links in the
Content-Encoding header, potentially leading to a denial of service (DoS) attack by exhausting system resources during decoding. The number of allowed chained encodings is now limited to 5. (CVE-2025-66418 reported by@illia-v, 8.9 High,GHSA-gm62-xv2j-4w53)
[!IMPORTANT]
- If urllib3 is not installed with the optional
urllib3[brotli] extra, but your environment contains a Brotli/brotlicffi/brotlipy package anyway, make sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to benefit from the security fixes and avoid warnings. Prefer usingurllib3[brotli] to install a compatible Brotli package automatically. - If you use custom decompressors, please make sure to update them to respect the changed API of
urllib3.response.ContentDecoder.
Features
- Enabled retrieval, deletion, and membership testing in
HTTPHeaderDict using bytes keys. (#3653) - Added host and port information to string representations of
HTTPConnection. (#3666) - Added support for Python 3.14 free-threading builds explicitly. (#3696)
Removals
- Removed the
HTTPResponse.getheaders() method in favor ofHTTPResponse.headers. Removed theHTTPResponse.getheader(name, default) method in favor ofHTTPResponse.headers.get(name, default). (#3622)
Bugfixes
- Fixed redirect handling in
urllib3.PoolManager when an integer is passed for the retries parameter. (#3649) - Fixed
HTTPConnectionPool when used in Emscripten with no explicit port. (#3664) - Fixed handling of
SSLKEYLOGFILE with expandable variables. (#3700)
Misc
- Changed the
zstd extra to installbackports.zstd instead ofzstandard on Python 3.13 and before. (#3693) - Improved the performance of content decoding by optimizing
BytesQueueBuffer class. (#3710) - Allowed building the urllib3 package with newer setuptools-scm v9.x. (#3652)
- Ensured successful urllib3 builds by setting Hatchling requirement to ≥ 1.27.0. (#3638)
Changelog
Sourced fromurllib3's changelog.
2.6.0 (2025-12-05)
Security
- Fixed a security issue where streaming API could improperly handle highlycompressed HTTP content ("decompression bombs") leading to excessive resourceconsumption even when a small amount of data was requested. Reading smallchunks of compressed data is safer and much more efficient now.(
GHSA-2xpw-w6gg-jr37 <https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37>__) - Fixed a security issue where an attacker could compose an HTTP response withvirtually unlimited links in the
Content-Encoding header, potentiallyleading to a denial of service (DoS) attack by exhausting system resourcesduring decoding. The number of allowed chained encodings is now limited to 5.(GHSA-gm62-xv2j-4w53 <https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53>__)
.. caution::
If urllib3 is not installed with the optionalurllib3[brotli] extra, butyour environment contains a Brotli/brotlicffi/brotlipy package anyway, makesure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 tobenefit from the security fixes and avoid warnings. Prefer usingurllib3[brotli] to install a compatible Brotli package automatically.
If you use custom decompressors, please make sure to update them torespect the changed API ofurllib3.response.ContentDecoder.
Features
- Enabled retrieval, deletion, and membership testing in
HTTPHeaderDict using bytes keys. ([#3653](https://github.com/urllib3/urllib3/issues/3653) <https://github.com/urllib3/urllib3/issues/3653>__) - Added host and port information to string representations of
HTTPConnection. ([#3666](https://github.com/urllib3/urllib3/issues/3666) <https://github.com/urllib3/urllib3/issues/3666>__) - Added support for Python 3.14 free-threading builds explicitly. (
[#3696](https://github.com/urllib3/urllib3/issues/3696) <https://github.com/urllib3/urllib3/issues/3696>__)
Removals
- Removed the
HTTPResponse.getheaders() method in favor ofHTTPResponse.headers.Removed theHTTPResponse.getheader(name, default) method in favor ofHTTPResponse.headers.get(name, default). ([#3622](https://github.com/urllib3/urllib3/issues/3622) <https://github.com/urllib3/urllib3/issues/3622>__)
Bugfixes
- Fixed redirect handling in
urllib3.PoolManager when an integer is passedfor the retries parameter. ([#3649](https://github.com/urllib3/urllib3/issues/3649) <https://github.com/urllib3/urllib3/issues/3649>__) - Fixed
HTTPConnectionPool when used in Emscripten with no explicit port. ([#3664](https://github.com/urllib3/urllib3/issues/3664) <https://github.com/urllib3/urllib3/issues/3664>__) - Fixed handling of
SSLKEYLOGFILE with expandable variables. ([#3700](https://github.com/urllib3/urllib3/issues/3700) <https://github.com/urllib3/urllib3/issues/3700>__)
... (truncated)
Commits
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting@dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase will rebase this PR@dependabot recreate will recreate this PR, overwriting any edits that have been made to it@dependabot merge will merge this PR after your CI passes on it@dependabot squash and merge will squash and merge this PR after your CI passes on it@dependabot cancel merge will cancel a previously requested merge and block automerging@dependabot reopen will reopen this PR if it is closed@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from theSecurity Alerts page.
Bumpsurllib3 from 2.5.0 to 2.6.0.
Release notes
Sourced fromurllib3's releases.
Changelog
Sourced fromurllib3's changelog.
... (truncated)
Commits
720f484Release 2.6.024d7b67Merge commit from forkc19571dMerge commit from fork816fcf0Bump actions/setup-python from 6.0.0 to 6.1.0 (#3725)18af0a1Improve speed ofBytesQueueBuffer.get()by using memoryview (#3711)1f6abacBump versions of pre-commit hooks (#3716)1c8fbf7Bump actions/checkout from 5.0.0 to 6.0.0 (#3722)7784b9eAdd Python 3.15 to CI (#3717)0241c9eUpdated docs to reflect change in optional zstd dependency fromzstandardt...7afcabbExpand environment variable of SSLKEYLOGFILE (#3705)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from theSecurity Alerts page.